I have an SSL certificate installed on my hosted site and Secure Pages allows me to enable it, but it doesn’t change the base URL as a user browses the site. All the content can be accessed via either http://www.mysite.com or https://www.mysite.com, however. My settings are:
Secure Pages: enabled
Switch back to http pages when there are no matches: checked
Non-secure Base URL: http://www.mysite.com
Secure Base URL: https://www.mysite.com
Pages which will be secure: Make secure only the listed pages
node/add*
node/*/edit
user/*
admin*
cart*
Ignore pages:
*/autocomplete/*
*/ajax/*
imce*
Since there is still no documentation on Secure Pages I’m not sure if any mods to .htaccess are necessary to use it. Please help!
Comments
Anybody? I’ve tried
Anybody? I’ve tried disabling Clean URLs, clearing caches, and all variations of the options, but still nothing. I’m probably not the only one in this boat from what I’ve seen.
Me too, just installed it
I've just installed securepages. It sounded promising, but I have no luck getting it to redirect to https:
Workaround for one problem
I was having problems getting the redirect to work too. I was initially using the following keywords which SHOULD have worked:
*/cart/*
*/user/*
After doing some extensive testing I found that if I stripped out the first / in the keywords it would work for me. Like this:
*cart/*
*user/*
Oddly for the ignore pages, the top keywords work properly. I think it might be something with the RegEx being used in the securepages_match() function but I didn't have time to look at it closer. Hope that helps someone.
I can't tell for sure from
I can't tell for sure from your description what your problem is, but one thing to note is that Drupal will often send you to your site's base URL (e.g. on login), so I always make sure that my settings.php is set up like this:
$base_url = 'http://mydrupalsite.org'; if (isset($_SERVER['HTTPS']) && $_SERVER['H
TTPS'] == 'on') { $base_url = preg_replace('/http[s]?:\/\//i', 'https://', $base
_url); }
The other thing you should be particularly aware of is that Secure Pages all by itself is security theatre, because Drupal will set session cookies that are visible in http requests that attackers can use to hijack sessions. There are two easy ways around this: 1) use https only (secure pages not needed) or 2) use Secure Pages along with the "Secure Pages Hijack Prevention" module, which adds a second cookie that is only transmitted via https. This keeps you logged in from https -> http -> https transitions (which wouldn't happen if the login session cookie was https only), but also prevents hijacking because the second cookie must be set correctly or the attacker will be logged out.
With those two configuration steps, I usually leave the actual redirection function of Secure Pages alone. The redirection pretty much works for me, so I'm sorry to say I don't have a good idea as to why it does not for you.
Good luck,
- Greg
I had the exact same problem,
I had the exact same problem, strangely enough I corrected it by checking "Make secure every page except the listed pages." instead of "Make secure only the listed pages." I still had listed the pages I wanted secured even though I had select the "except the listed pages". It is though it is the opposite of what it should be. Still doesn't switch back to http pages correctly. For me it is better to have every page secured than none.
What host are you using?
Perhaps that might help. I am on rackspace and secure pages with SSL certificate is working just fine. If you are as well, them maybe I can help get it going for you.
Try this...
If you have an editor (e.g., CKEditor), ensure you are editing in plain text mode so that you don't get the extra p tags. Switch to plain text mode and remove any such tags.
Ah, the solution
OK, in addition to disabling editors as mentioned above, put each item on its own line in the Secure Pages config page
i.e., for Pages:
node/add*
node/*/edit
user/*
admin*
cart/checkou*